0002861
FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015
US Federal Financial Institutions Examination Council (FFIEC)
Audit Guideline
Free
FFIEC Business Continuity Planning Handbook 2015
FFIEC Business Continuity Planning (BCP) IT Examination Handbook
2015-02-01
The document as a whole was last reviewed and released on 2018-01-23T00:00:00-0800.
0002861
Free
US Federal Financial Institutions Examination Council (FFIEC)
Audit Guideline
FFIEC Business Continuity Planning Handbook 2015
FFIEC Business Continuity Planning (BCP) IT Examination Handbook
2015-02-01
The document as a whole was last reviewed and released on 2018-01-23T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Technical Security | Preventive | |
Protect the integrity of application service transactions. CC ID 12017 [Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2] | Business Processes | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
Report audit findings to interested personnel and affected parties. CC ID 01152 [Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3] | Testing | Detective | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2] | Testing | Detective | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 [{matters requiring attention}Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 2 Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:4 Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: The potential impact of your conclusions on composite and component ratings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 3 {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4 {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4 {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:5] | Establish/Maintain Documentation | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [Interview management and review the business continuity request information to identify: Any material changes in the audit program, scope, or schedule related to business continuity activities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5] | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5] | Records Management | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 [Review management's response to audit recommendations noted since the last examination. Consider the following Resolution of root causes rather than just specific audit deficiencies; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 2] | Testing | Detective | |
Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior regulatory reports of examination; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 2 Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 1 {work paper}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior examination workpapers; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 3] | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3] | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 [{internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4 {internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4] | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13] | Establish/Maintain Documentation | Preventive | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Review management's response to audit recommendations noted since the last examination. Consider the following: Existence of any outstanding issues; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 3 Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations; TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 1] | Establish/Maintain Documentation | Detective | |
Implement a corrective action plan in response to the audit report. CC ID 06777 [Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1 Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1 Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13 Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3 Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3] | Establish/Maintain Documentation | Corrective | |
Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [Review management's response to audit recommendations noted since the last examination. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2] | Audits and Risk Management | Detective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 [Determine whether audit involvement in the business continuity program is effective, including: Audit coverage of the business continuity program; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1] | Audits and Risk Management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Determine whether audit involvement in the business continuity program is effective, including: Documentation of audit findings TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4] | Establish/Maintain Documentation | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 | Business Processes | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 | Establish/Maintain Documentation | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Supplies; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 [Determine whether management has considered the possibility of transferring critical aspects of the institution's operation to alternate backup providers or other industry participants to ensure continuity of operations in extreme situations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:4] | Establish/Maintain Documentation | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development] | Establish/Maintain Documentation | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 4] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Establish Roles | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [Determine whether the financial institution's and TSP's risk management strategies are designed to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber attacks and attacks on multiple critical infrastructure sectors. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10] | Establish/Maintain Documentation | Preventive | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Large scale disruptive events that could affect the ability to service clients; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 1 {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Significant downtime that would threaten the financial institution's business resiliency. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 3 {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Cyber events that could impact the ability to service clients; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 2] | Business Processes | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4] | Audits and Risk Management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 2 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4] | Audits and Risk Management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5] | Establish/Maintain Documentation | Preventive | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3 Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1 Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1 Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5] | Testing | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Pandemics. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6] | Establish/Maintain Documentation | Detective | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Behavior | Preventive | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3 Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5] | Audits and Risk Management | Detective | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3] | Establish/Maintain Documentation | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3] | Establish/Maintain Documentation | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3] | Establish/Maintain Documentation | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3] | Establish/Maintain Documentation | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 [{continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4] | Establish/Maintain Documentation | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3 Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5 Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2] | Business Processes | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment] | Audits and Risk Management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 3] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7 {internal threat}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Internally identified threats; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 2] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [{external threat} Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 3] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 1] | Actionable Reports or Measurements | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis] | Establish/Maintain Documentation | Preventive | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment] | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Establish/Maintain Documentation | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine the quality of business continuity plan oversight and support provided by the board and senior management. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2 {BCP and testing program} Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:2 {board committee} Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution's pandemic preparedness program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:1] | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Assign the roles and responsibilities for the change control program. CC ID 13118 [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1 Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1 Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1] | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6] | Human Resources Management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
Implement a staff rotation plan. CC ID 12772 | Human Resources Management | Preventive | |
Rotate duties amongst the critical roles and positions. CC ID 06554 [{business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4] | Establish Roles | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5 {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4] | Behavior | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 | Business Processes | Preventive | |
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 | Establish/Maintain Documentation | Preventive | |
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 [Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Provide protective face masks for critical personnel, as necessary. CC ID 06803 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1] | Human Resources Management | Preventive | |
Establish, implement, and maintain an insider threat program. CC ID 10687 [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7] | Human Resources Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3] | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [Interview management and review the business continuity request information to identify: Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 1] | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
Define the strategic Information Assurance roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Establish Roles | Detective | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5] | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Crisis management decision process; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 3] | Process or Activity | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Establish/Maintain Documentation | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process] | Establish/Maintain Documentation | Preventive | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [{test strategy} Determine if test plans adequately complement testing strategies. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2] | Business Processes | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1] | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Monitor the usage and capacity of critical assets. CC ID 14825 | Monitor and Evaluate Occurrences | Detective | |
Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1 Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1 Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Back-room operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 2 {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to handle increased workloads supporting critical operations for extended periods. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 8 {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1 {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1 {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1 {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1 Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2] | Monitor and Evaluate Occurrences | Detective | |
Monitor all outbound traffic from all systems. CC ID 12970 | Monitor and Evaluate Occurrences | Preventive | |
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Behavior | Detective | |
Monitor systems for errors and faults. CC ID 04544 [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8] | Monitor and Evaluate Occurrences | Detective | |
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Communicate | Corrective | |
Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain monitoring and logging operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5] | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 [{BCP and testing program} Determine whether the financial institution and service provider consider their susceptibility to simultaneous attacks in their business resilience planning, testing, and recovery strategies. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:6] | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Audits and Risk Management | Preventive | |
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Log Management | Preventive | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about filing Suspicious Activity Reports (SARs); TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 6] | Establish/Maintain Documentation | Corrective | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate system performance. CC ID 00651 [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5] | Monitor and Evaluate Occurrences | Detective | |
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Communicate | Preventive | |
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Communicate | Preventive | |
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Establish/Maintain Documentation | Detective | |
Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
Implement file integrity monitoring. CC ID 01205 [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5] | Monitor and Evaluate Occurrences | Detective | |
Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1] | Establish/Maintain Documentation | Preventive | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5] | Monitor and Evaluate Occurrences | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
Require testing procedures to be complete. CC ID 00664 [{corresponding} Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Full-scope, end-to-end testing with a frequency commensurate with complexity and risk; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 1 {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1 {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1] | Testing | Detective | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve test plans. CC ID 13071 [From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5] | Human Resources Management | Preventive | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a testing program. CC ID 00654 [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2 {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2] | Behavior | Preventive | |
Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
Test security systems and associated security procedures, as necessary. CC ID 11901 [{business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7 {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7 {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7 {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7] | Technical Security | Detective | |
Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
Enable security controls which were disabled to conduct testing. CC ID 17031 | Testing | Preventive | |
Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
Disable dedicated accounts after testing is complete. CC ID 17033 | Testing | Preventive | |
Protect systems and data during testing in the production environment. CC ID 17198 | Testing | Preventive | |
Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Data and Information Management | Preventive | |
Define the criteria to conduct testing in the production environment. CC ID 17197 | Testing | Preventive | |
Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Behavior | Preventive | |
Suspend testing in a production environment, as necessary. CC ID 17231 | Testing | Preventive | |
Define the test requirements for each testing program. CC ID 13177 [Determine whether the institution relies on proxy testing. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:8 From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5 From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5 {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2] | Establish/Maintain Documentation | Preventive | |
Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
Include test requirements for the use of production data in the testing program. CC ID 17201 | Testing | Preventive | |
Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Communicate | Preventive | |
Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
Scan organizational networks for rogue devices. CC ID 00536 | Testing | Detective | |
Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
Scan the network for wireless access points. CC ID 00370 | Testing | Detective | |
Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Technical Security | Corrective | |
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Configuration | Preventive | |
Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Configuration | Corrective | |
Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Process or Activity | Preventive | |
Define the validity period for technical documentation assessment certificates. CC ID 17227 | Process or Activity | Preventive | |
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Communicate | Preventive | |
Align the penetration test program with industry standards. CC ID 12469 | Establish/Maintain Documentation | Preventive | |
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Establish Roles | Preventive | |
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Testing | Preventive | |
Retain penetration test results according to internal policy. CC ID 10049 | Records Management | Preventive | |
Retain penetration test remediation action records according to internal policy. CC ID 11629 | Records Management | Preventive | |
Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
Perform penetration tests, as necessary. CC ID 00655 | Testing | Detective | |
Perform internal penetration tests, as necessary. CC ID 12471 | Technical Security | Detective | |
Perform external penetration tests, as necessary. CC ID 12470 | Technical Security | Detective | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Testing | Detective | |
Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Technical Security | Detective | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
Test the system for covert channels. CC ID 10652 | Testing | Detective | |
Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
Include facilities in the business line testing strategy. CC ID 13253 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3] | Establish/Maintain Documentation | Preventive | |
Include electrical systems in the business line testing strategy. CC ID 13251 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include mechanical systems in the business line testing strategy. CC ID 13250 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include emergency power supplies in the business line testing strategy. CC ID 13247 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include environmental controls in the business line testing strategy. CC ID 13246 [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
Identify and document security vulnerabilities. CC ID 11857 [{technology vulnerability}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Technological and security vulnerabilities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 1 Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4] | Technical Security | Detective | |
Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Technical Security | Preventive | |
Test the system for insecure cryptographic storage. CC ID 11635 | Technical Security | Detective | |
Perform self-tests on cryptographic modules within the system. CC ID 06537 | Testing | Detective | |
Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Testing | Detective | |
Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Testing | Detective | |
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Configuration | Detective | |
Document and maintain test results. CC ID 17028 | Testing | Preventive | |
Include the pass or fail test status in the test results. CC ID 17106 | Establish/Maintain Documentation | Preventive | |
Include time information in the test results. CC ID 17105 | Establish/Maintain Documentation | Preventive | |
Include a description of the system tested in the test results. CC ID 17104 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Communicate | Preventive | |
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Technical Security | Corrective | |
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
Recommend mitigation techniques based on penetration test results. CC ID 04881 | Establish/Maintain Documentation | Corrective | |
Correct or mitigate vulnerabilities. CC ID 12497 | Technical Security | Corrective | |
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Determine examination scope and objectives for reviewing the business continuity planning program. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1] | Establish/Maintain Documentation | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 | Monitor and Evaluate Occurrences | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 [Review management's response to audit recommendations noted since the last examination. Consider the following: Monitoring systems used to track the implementation of recommendations on an on- going basis TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 4] | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Involve auditors in reviewing and testing the business continuity program. CC ID 13211 [Determine whether audit involvement in the business continuity program is effective, including: Audit participation in testing as an observer and as a reviewer of test plans and results; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3 {business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3 {business continuity test process}{business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3] | Testing | Detective | |
Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 [Determine whether audit involvement in the business continuity program is effective, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11] | Investigate | Detective | |
Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 [{assess}Determine whether audit involvement in the business continuity program is effective, including: Assessment of business continuity preparedness during line(s) of business reviews; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 2] | Investigate | Detective | |
Establish, implement, and maintain a business continuity policy. CC ID 12405 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities] | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the business continuity policy. CC ID 17203 | Systems Continuity | Preventive | |
Include compliance requirements in the business continuity policy. CC ID 14237 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the business continuity policy. CC ID 14235 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the business continuity policy. CC ID 14233 | Establish/Maintain Documentation | Preventive | |
Include the scope in the business continuity policy. CC ID 14231 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the business continuity policy. CC ID 14190 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Communicate | Preventive | |
Include the purpose in the business continuity policy. CC ID 14188 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a business continuity testing policy. CC ID 13235 [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2 {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2] | Establish/Maintain Documentation | Preventive | |
Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 [{business continuity testing policy} Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 3] | Establish/Maintain Documentation | Preventive | |
Include documentation requirements in the business continuity testing policy. CC ID 14377 | Establish/Maintain Documentation | Preventive | |
Include reporting requirements in the business continuity testing policy. CC ID 14397 | Establish/Maintain Documentation | Preventive | |
Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1] | Establish/Maintain Documentation | Preventive | |
Include test requirements for support functions in the business continuity testing policy. CC ID 13239 [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1] | Establish/Maintain Documentation | Preventive | |
Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1] | Establish/Maintain Documentation | Preventive | |
Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1] | Establish/Maintain Documentation | Preventive | |
Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 [{business continuity testing strategy}{bcp and testing program} Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 5] | Establish/Maintain Documentation | Preventive | |
Include data recovery in the business continuity testing strategy. CC ID 13262 [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include testing critical applications in the business continuity testing strategy. CC ID 13261 [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 [{test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 2 {test strategy}{predetermined time frame} Determine whether the core firm's testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 8] | Testing | Detective | |
Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to reconcile transaction data; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 3 Determine that the test assumptions are appropriate for core and significant firms and consider: Whether continuity arrangements continue to operate until all pending transactions are closed. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3 {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3 {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2 {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5] | Establish/Maintain Documentation | Preventive | |
Establish and maintain the scope of the continuity framework. CC ID 11908 | Establish/Maintain Documentation | Preventive | |
Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Establish/Maintain Documentation | Preventive | |
Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Establish/Maintain Documentation | Preventive | |
Include business units in the scope of the continuity framework. CC ID 11898 [Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit). TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:3] | Establish/Maintain Documentation | Preventive | |
Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
Include information security continuity in the scope of the continuity framework. CC ID 12009 [{take into account}Review and verify that the written BCP: Take(s) into account: Security; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 7 Determine that the BCP includes appropriate security procedures. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7 Verify that appropriate policies, standards, and processes address business continuity planning issues including: Security; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 1 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Systems Continuity | Preventive | |
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development] | Systems Continuity | Preventive | |
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Establish/Maintain Documentation | Preventive | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis Interview management and review the business continuity request information to identify: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
Include Quality Management in the continuity framework. CC ID 12239 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a system continuity plan philosophy. CC ID 00734 | Establish/Maintain Documentation | Preventive | |
Define the executive vision of the continuity planning process. CC ID 01243 [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1 {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2] | Establish/Maintain Documentation | Preventive | |
Include a pandemic plan in the continuity plan. CC ID 06800 [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5 {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4 {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4 Determine whether the BCP effectively addresses pandemic issues. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8 Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A documented strategy that provides for scaling the institution's pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Roles and responsibilities of crisis management group members; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 1 Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2 Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2 {business continuity testing policy} Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 2] | Establish Roles | Preventive | |
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Systems Continuity | Preventive | |
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 [Determine whether adequate risk mitigation strategies have been considered for: Preparation for return to normal operations once the permanent facilities are available. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Systems Continuity | Corrective | |
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1] | Monitor and Evaluate Occurrences | Detective | |
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1 Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1 {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {impact analysis}{service interruption} Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:7 {internal factor}Interview management and review the business continuity request information to identify: Any other internal or external factors that could affect the business continuity process. TTIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 5] | Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5 Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8 {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development Determine the existence of an appropriate enterprise-wide BCP. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5 Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8] | Establish/Maintain Documentation | Preventive | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define the conditions under which the back-up site would be used; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 4] | Systems Continuity | Corrective | |
Identify all stakeholders in the continuity plan. CC ID 13256 [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development] | Human Resources Management | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1] | Establish/Maintain Documentation | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities] | Establish/Maintain Documentation | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 2 Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Trained employees are located at the back-up site at the time of disruption; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 1 Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8 {unavailability} Determine that the test assumptions are appropriate for core and significant firms and consider: Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 2 {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4 Determine whether the strategy addresses staffing considerations, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Determine whether satisfactory consideration has been given to geographic diversity for: Alternate staff; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 4] | Human Resources Management | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
Include the continuity strategy in the continuity plan. CC ID 13189 [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1] | Establish/Maintain Documentation | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6 From the procedures performed: Document conclusions related to the quality and effectiveness of the business continuity process. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Process or Activity | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Process or Activity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9] | Establish/Maintain Documentation | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Crisis management (responsibility for disaster declaration and dealing with outside parties); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 5 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution's staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Establish/Maintain Documentation | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Include procedures for notifying the back-up site; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 5] | Establish/Maintain Documentation | Preventive | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 [{primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1] | Testing | Detective | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 [Determine whether adequate risk mitigation strategies have been considered for: Recovery of data (e.g. backlogged transactions, reconciliation procedures); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 5 Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1 Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1] | Establish Roles | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis {third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4 Determine whether adequate risk mitigation strategies have been considered for: BCP; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 3 Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: According to its priority ranking in the risk assessment; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 1 Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering long-term recovery arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering interdependencies among systems; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 2 {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 [{take into account}Review and verify that the written BCP: Take(s) into account: Facilities; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 5 If the organization is relying on outside facilities for recovery, determine whether the recovery site: Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution's own facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Systems Continuity | Detective | |
Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Configuration | Preventive | |
Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Configuration | Preventive | |
Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Physical and Environmental Protection | Preventive | |
Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Physical and Environmental Protection | Preventive | |
Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Configuration | Preventive | |
Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Physical and Environmental Protection | Preventive | |
Install electrical grounding equipment. CC ID 06359 | Physical and Environmental Protection | Preventive | |
Implement redundancy in life-safety systems. CC ID 02228 | Physical and Environmental Protection | Preventive | |
Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Include emergency operating procedures in the continuity plan. CC ID 11694 [{emergency procedure} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Explain actions to be taken in specific emergencies; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
Include outages in the emergency operating procedures. CC ID 17129 | Establish/Maintain Documentation | Preventive | |
Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Establish/Maintain Documentation | Preventive | |
Define and prioritize critical business functions. CC ID 00736 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process] | Establish/Maintain Documentation | Detective | |
Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
Review and prioritize the importance of each business process. CC ID 11689 [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [{business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2 {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2] | Systems Continuity | Preventive | |
Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Systems Continuity | Preventive | |
Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Process or Activity | Corrective | |
Define and prioritize critical business records. CC ID 11687 | Establish/Maintain Documentation | Preventive | |
Identify all critical business records. CC ID 00737 | Records Management | Detective | |
Include the protection of personnel in the continuity plan. CC ID 06378 [{take into account} Review and verify that the written BCP: Take(s) into account: Personnel; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a critical personnel list. CC ID 00739 | Establish/Maintain Documentation | Detective | |
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to relocate or engage staff from alternate sites; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 5] | Human Resources Management | Preventive | |
Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a critical third party list. CC ID 06815 [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8 Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2 Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2 Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2 Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8 Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8 Determine whether the continuity strategy addresses interdependent components, including: Key suppliers/business partners; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1 {technology service provider}Determine whether the continuity strategy addresses interdependent components, including: Third-party technology providers; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 3] | Behavior | Preventive | |
Establish, implement, and maintain a critical resource list. CC ID 00740 | Establish/Maintain Documentation | Detective | |
Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [{third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8 {third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8] | Establish/Maintain Documentation | Preventive | |
Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Establish/Maintain Documentation | Preventive | |
Include workstation continuity procedures in the continuity plan. CC ID 01378 | Establish/Maintain Documentation | Preventive | |
Include server continuity procedures in the continuity plan. CC ID 01379 [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7] | Establish/Maintain Documentation | Preventive | |
Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Data and Information Management | Preventive | |
Include near-line capabilities in the continuity plan. CC ID 01383 | Establish/Maintain Documentation | Preventive | |
Include online capabilities in the continuity plan. CC ID 11690 | Establish/Maintain Documentation | Preventive | |
Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Establish/Maintain Documentation | Preventive | |
Include telecommunications continuity procedures in the continuity plan. CC ID 11691 [Determine whether the continuity strategy addresses interdependent components, including: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 2 {voice service}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of telephony and electronic messaging due to the convergence of voice and data services on the same network; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 2 {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include system continuity procedures in the continuity plan. CC ID 01268 [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8] | Establish/Maintain Documentation | Preventive | |
Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6 Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3] | Establish/Maintain Documentation | Detective | |
Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Establish/Maintain Documentation | Preventive | |
Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Establish/Maintain Documentation | Preventive | |
Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Establish/Maintain Documentation | Preventive | |
Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 [{one}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Reliance upon a single communications provider; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 1] | Testing | Detective | |
Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 5 Determine whether satisfactory consideration has been given to geographic diversity for: Alternate telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 3 {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4 {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4] | Testing | Detective | |
Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Testing | Detective | |
Include emergency power continuity procedures in the continuity plan. CC ID 01254 [Determine whether adequate risk mitigation strategies have been considered for: Alternate power supplies (e.g. uninterruptible power source, back-up generators); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 4 Determine whether the continuity strategy addresses interdependent components, including: Utilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include evacuation procedures in the continuity plan. CC ID 12773 | Systems Continuity | Preventive | |
Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 [{take into account}Review and verify that the written BCP:Take(s) into account: Manual operating procedures. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 9] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Physical and Environmental Protection | Corrective | |
Designate an alternate facility in the continuity plan. CC ID 00742 | Establish/Maintain Documentation | Detective | |
Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Determine whether satisfactory consideration has been given to geographic diversity for: Alternate facilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 1 Determine whether satisfactory consideration has been given to geographic diversity for: Alternate processing locations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 2 Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 5] | Physical and Environmental Protection | Preventive | |
Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Establish/Maintain Documentation | Preventive | |
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 [{take into account}Review and verify that the written BCP: Take(s) into account: Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 3 {backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6] | Establish/Maintain Documentation | Preventive | |
Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Operating systems; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 2 Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Utility programs; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 4 {data backup}Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Data; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 1 {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4] | Systems Continuity | Preventive | |
Determine which data elements to back up. CC ID 13483 | Data and Information Management | Detective | |
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Systems Continuity | Preventive | |
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Communicate | Preventive | |
Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 {backup media} Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Back-up media; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 1 Determine whether satisfactory consideration has been given to geographic diversity for: Off-site storage. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 5] | Testing | Detective | |
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Configuration | Preventive | |
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Establish/Maintain Documentation | Preventive | |
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Systems Continuity | Detective | |
Store backup media at an off-site electronic media storage facility. CC ID 01332 | Data and Information Management | Preventive | |
Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Systems Continuity | Preventive | |
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
Perform backup procedures for in scope systems. CC ID 11692 | Process or Activity | Preventive | |
Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
Back up all records. CC ID 11974 | Systems Continuity | Preventive | |
Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis] | Establish/Maintain Documentation | Preventive | |
Encrypt backup data. CC ID 00958 | Configuration | Preventive | |
Log the execution of each backup. CC ID 00956 | Establish/Maintain Documentation | Preventive | |
Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Testing | Detective | |
Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Testing | Detective | |
Test each restored system for media integrity and information integrity. CC ID 01920 | Testing | Detective | |
Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Testing | Corrective | |
Digitally sign disk images, as necessary. CC ID 06814 | Establish/Maintain Documentation | Preventive | |
Include emergency communications procedures in the continuity plan. CC ID 00750 [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2 Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7 Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Customers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 3 {authorities}Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Local, state, and federal agencies; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 5 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Regulators. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 6 Verify that appropriate policies, standards, and processes address business continuity planning issues including: Notification standards (employees, customers, regulators, vendors, service providers); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 9 Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2] | Establish/Maintain Documentation | Preventive | |
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Critical service providers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 1 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Key financial correspondents; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 2 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1 {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1] | Establish/Maintain Documentation | Preventive | |
Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2 {take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2 Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Designate a knowledgeable public relations spokesperson; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 7] | Communicate | Preventive | |
Identify who can speak to the media in the emergency communications procedures. CC ID 12761 [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2 Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Media representatives; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 4] | Communicate | Corrective | |
Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 [{takes into account}Review and verify that the written BCP:Take(s) into account: Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 8] | Testing | Detective | |
Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 [{take into account}Review and verify that the written BCP:Take(s) into account: Liquidity; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 6] | Acquisition/Sale of Assets or Services | Preventive | |
Minimize system continuity requirements. CC ID 00753 | Establish/Maintain Documentation | Preventive | |
Include purchasing insurance in the continuity plan. CC ID 00762 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Insurance; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 10 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Acquisition/Sale of Assets or Services | Preventive | |
Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Acquisition/Sale of Assets or Services | Preventive | |
Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Business Processes | Detective | |
Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
Validate information security continuity controls regularly. CC ID 12008 | Systems Continuity | Preventive | |
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Timely distribution of revised plans to personnel. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 2 {business continuity testing strategy}Determine whether the strategy addresses staffing considerations, including: Staff access to key documentation (plans, procedures, and forms); and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 7 {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 {third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9] | Establish/Maintain Documentation | Preventive | |
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a pandemic plan. CC ID 13214 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution's monitoring program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Match emergency policies to the level of disruption anticipated in the pandemic plan. CC ID 14375 | Establish/Maintain Documentation | Preventive | |
Identify employees who have family members who are first responders or medical personnel. CC ID 14389 | Human Resources Management | Detective | |
Identify tasks that can be accomplished at alternate work sites. CC ID 14393 | Process or Activity | Preventive | |
Include work that will be suspended during the pandemic in the pandemic plan. CC ID 14380 | Establish/Maintain Documentation | Preventive | |
Include alternate work locations in the pandemic plan. CC ID 14376 | Establish/Maintain Documentation | Preventive | |
Assign pandemic planning roles and responsibilities, as necessary. CC ID 13230 [Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:2] | Establish Roles | Preventive | |
Include modifications to the absenteeism policy in the pandemic plan. CC ID 13232 [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9] | Establish/Maintain Documentation | Preventive | |
Include remote access requirements in the pandemic plan. CC ID 13233 [Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:10] | Establish/Maintain Documentation | Preventive | |
Include a compensation plan in the pandemic plan. CC ID 13231 [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9] | Establish/Maintain Documentation | Preventive | |
Revalidate exceptions to the pandemic plan, as necessary. CC ID 14395 | Establish/Maintain Documentation | Preventive | |
Approve exceptions to the pandemic plan, as necessary. CC ID 14392 | Establish/Maintain Documentation | Preventive | |
Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan. CC ID 14374 | Establish/Maintain Documentation | Preventive | |
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Systems Continuity | Preventive | |
Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746 [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8 Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Work locations for business functions; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 3 Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Workspace recovery - the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 [{alternate facility} Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1] | Establish/Maintain Documentation | Preventive | |
Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Establish/Maintain Documentation | Preventive | |
Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Establish/Maintain Documentation | Preventive | |
Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Establish/Maintain Documentation | Preventive | |
Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Establish/Maintain Documentation | Preventive | |
Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Establish/Maintain Documentation | Preventive | |
Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Establish/Maintain Documentation | Preventive | |
Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 | Establish/Maintain Documentation | Preventive | |
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [{alternate facility} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify a current inventory of items needed for off-site processing; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 6 {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Provides sufficient processing time for the anticipated workload based on emergency priorities; and TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 2 {capability}{independent} If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:2 {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Has the ability to process the required volume; TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 1 {recovery site} Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:4 Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 4 {alternate facility} Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:5] | Configuration | Preventive | |
Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2] | Technical Security | Preventive | |
Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2] | Physical and Environmental Protection | Preventive | |
Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 [Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s). TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:6] | Communicate | Preventive | |
Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Applications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 3] | Systems Continuity | Preventive | |
Train personnel on the continuity plan. CC ID 00759 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6 Verify that appropriate policies, standards, and processes address business continuity planning issues including: Employee training; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8 Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Behavior | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Behavior | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1] | Behavior | Preventive | |
Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Training | Preventive | |
Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5 Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6 {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11 Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: An evaluation of the reasonableness of assumptions used in developing the testing strategy. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 4 {BCP testing program} Determine whether the financial institution's testing program enhances resilience through demonstrated ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to wide-scale disasters consistent with the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12 {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6 {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6 {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6 {core firm} Determine that the test assumptions are appropriate for core and significant firms and consider: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1 {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2] | Testing | Preventive | |
Establish, implement, and maintain a continuity test plan. CC ID 04896 [{sudden operational failure} Determine that the test assumptions are appropriate for core and significant firms and consider: Primary data centers and operations facilities that are completely inoperable without notice; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 1 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed schedules to complete each test; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 7 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 5 {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4 {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4 {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4 {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4] | Establish/Maintain Documentation | Preventive | |
Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Establish/Maintain Documentation | Preventive | |
Include recovery procedures in the continuity test plan. CC ID 14876 | Establish/Maintain Documentation | Preventive | |
Include test scripts in the continuity test plan. CC ID 14875 | Establish/Maintain Documentation | Preventive | |
Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Establish/Maintain Documentation | Preventive | |
Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Establish/Maintain Documentation | Preventive | |
Include contact information in the continuity test plan. CC ID 14399 | Establish/Maintain Documentation | Preventive | |
Include testing all system components in the continuity test plan. CC ID 13508 | Establish/Maintain Documentation | Preventive | |
Include test scenarios in the continuity test plan. CC ID 13506 | Establish/Maintain Documentation | Preventive | |
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test event dates and time stamps; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include the risk assessment results in the continuity test plan. CC ID 17205 | Establish/Maintain Documentation | Preventive | |
Include the business impact analysis test results in the continuity test plan CC ID 17204 | Establish/Maintain Documentation | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:4 {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 {bcp testing program}{region}{nation}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Local, regional, or national testing/exercises. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 5] | Testing | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 [{BCP testing program}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Telecommuting to simulate and test remote access; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 2 Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2 Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1 Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1 Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1 Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1 {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1 {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1 {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1 {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3 {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Risk assumptions; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 2 {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3 {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3 {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6 {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6 {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6 Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1 {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2] | Testing | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 [Determine whether testing scenarios with critical third-parties considers: Return to normal operations. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 6 Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2 Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2 Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7 Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7] | Testing | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [{BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3 {BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3 {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5 {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5 {business continuity testing strategy}{internal contact} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Notification procedures to follow for internal and external contacts. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 6 {business continuity testing strategy}{key stakeholders} Determine whether the strategy addresses staffing considerations, including: The ability to communicate with key internal and external stakeholders; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 2] | Testing | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{critical third party} Evaluate how the financial institution ensures timeliness, thoroughness, and completeness of periodic testing with their critical providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:4 Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Participation in third-party testing; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 4 Determine that the test assumptions are appropriate for core and significant firms and consider: Other organizations in the immediate area that are also affected; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 3 Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes critical subcontractors. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 3] | Testing | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10 {wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10 Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A testing program to better ensure that the institution's pandemic planning practices and capabilities are effective and will allow critical operations to continue. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 4 {BCP testing program}{table top exercise} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Table top operations exercises; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 4 {business continuity testing strategy}{emergency response} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Determine whether testing scenarios with critical third-parties considers: An outage or disruption of the service provider; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 1 Determine whether testing scenarios with critical third-parties considers: An outage or disruption at the financial institution; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 2 Determine whether testing scenarios with critical third-parties considers: Crisis management; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 4 Determine whether testing scenarios with critical third-parties considers: Cyber events; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 5 Determine that the test assumptions are appropriate for core and significant firms and consider: Infrastructure (power, telecommunications, transportation) that is disrupted; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 4 {business continuity testing strategy} Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1 {test scenario}{feasibility} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 4 {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1 {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1 {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1 {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1 {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3 {test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 1] | Testing | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 [Determine whether the continuity strategy addresses interdependent components, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3 {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3 Determine that test scenarios reflect key interdependencies. Consider the following: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 9 Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2] | Testing | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2] | Testing | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 [Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' alternative location. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 3 Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' primary location; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 2 Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's primary location to the TSPs' alternative location; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 1 Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2 {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1 {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3 {business continuity testing strategy} Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 10 {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3] | Testing | Detective | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4 {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4 {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4 {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4 Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2 {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1 {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1 {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1] | Testing | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 [{technology service provider}{recovery time objective}{wide-scale disruption}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: DR/BCP test results for RTOs that provide evidence the TSP can recover from large scale disruptions and cyber events; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 1 Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10 Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10 Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Third-party testing results; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 5 {business continuity test} Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Determine whether the significant firm meets the testing requirements of applicable core firms. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 11 Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12 Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12 Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12 Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12 Determine whether the institution receives adequate testing information which validates and demonstrates the recovery capability and capacity of their critical service providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:9] | Testing | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5 {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Business continuity test results; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 5 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 8] | Actionable Reports or Measurements | Preventive | |
Address identified deficiencies in the continuity plan test results. CC ID 17209 | Testing | Preventive | |
Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Communicate | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [{retest} Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 4] | Testing | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [{business continuity testing strategy}{recovery of lost data} Determine whether the strategy addresses technology considerations, including: Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 5] | Testing | Detective | |
Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program] | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3] | Establish/Maintain Documentation | Preventive | |
Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
Contain the incident to prevent further loss. CC ID 01751 [{incident containment procedure} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Steps to be taken to contain the problem; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 3] | Process or Activity | Corrective | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
Assess all incidents to determine what information was accessed. CC ID 01226 [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Procedures for determining the nature and scope of the incident; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 2] | Testing | Corrective | |
Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
Share incident information with interested personnel and affected parties. CC ID 01212 [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about what is required for contacting affected customers; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 4] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 [{data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9 {data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9] | Establish/Maintain Documentation | Preventive | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
Include the incident classification criteria in incident response notifications. CC ID 17293 | Establish/Maintain Documentation | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
Include the incident reference code in incident response notifications. CC ID 17292 | Establish/Maintain Documentation | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Establish/Maintain Documentation | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [{reasonable method} Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:4 Verify that appropriate policies, standards, and processes address business continuity planning issues including: Remote access; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 7 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about contacting the appropriate regulator; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 5] | Communicate | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Teams and responsibilities; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 1] | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Investigate | Detective | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
Include coverage of all system components in the Incident Response program. CC ID 11955 [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3 {cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about addressing zero-day attacks; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 7] | Establish/Maintain Documentation | Preventive | |
Include business continuity procedures in the Incident Response program. CC ID 06433 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Incident response; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 6 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Establish/Maintain Documentation | Preventive | |
Test the incident response procedures. CC ID 01216 [{cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: A requirement for periodic testing of the incident response plan in the real-world threat landscape; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 8 Determine whether testing scenarios with critical third-parties considers: An incident response plan; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 3] | Testing | Detective | |
Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Establish/Maintain Documentation | Preventive | |
Include performance requirements in the Service Level Agreement. CC ID 00841 [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Inclusion of reasonable performance standards (e.g., SLAs, RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Change control process; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 3 {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Establish/Maintain Documentation | Preventive | |
Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
Manage change requests. CC ID 00887 | Business Processes | Preventive | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
Test proposed changes prior to their approval. CC ID 00548 | Testing | Detective | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Testing | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
Implement changes according to the change control program. CC ID 11776 | Business Processes | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a transition strategy. CC ID 17049 | Establish/Maintain Documentation | Preventive | |
Include monitoring requirements in the transition strategy. CC ID 17290 | Establish/Maintain Documentation | Preventive | |
Include resources in the transition strategy. CC ID 17289 | Establish/Maintain Documentation | Preventive | |
Include time requirements in the transition strategy. CC ID 17288 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
Patch software. CC ID 11825 | Technical Security | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Business Processes | Corrective | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
Document the organization's local environments. CC ID 06726 [Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain local environment security profiles. CC ID 07037 | Establish/Maintain Documentation | Preventive | |
Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Establish/Maintain Documentation | Preventive | |
Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Establish/Maintain Documentation | Preventive | |
Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Establish/Maintain Documentation | Preventive | |
Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Establish/Maintain Documentation | Preventive | |
Include facility information for the local environment in the local environment security profile. CC ID 07042 | Establish/Maintain Documentation | Preventive | |
Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
Update the local environment security profile, as necessary. CC ID 07043 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 [{facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3 {facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5] | Physical and Environmental Protection | Corrective | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1 Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1] | Physical and Environmental Protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
Establish, implement, and maintain storage media access control procedures. CC ID 00959 [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1 Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1] | Establish/Maintain Documentation | Preventive | |
Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Remove all unnecessary functionality. CC ID 00882 | Configuration | Preventive | |
Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 | Configuration | Preventive | |
Configure the File Replication service properly. CC ID 05068 [{data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Configuration | Preventive | |
Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406 [{backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6] | Configuration | Preventive | |
Configure the "Retain deleted items for the specified number of days" to organizational standards. CC ID 08407 | Configuration | Preventive | |
Configure the "Do not permanently delete items until the database has been backed up" to organizational standards. CC ID 08490 | Configuration | Preventive | |
Configure the "Keep deleted mailboxes for the specified number of days" to organizational standards. CC ID 08600 | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain project management standards. CC ID 00992 [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Project management; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 2 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Establish/Maintain Documentation | Preventive | |
Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems Design, Build, and Implementation | Preventive | |
Include objectives in the project management standard. CC ID 17202 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Establish/Maintain Documentation | Preventive | |
Include budgeting for projects in the project management standard. CC ID 13136 | Establish/Maintain Documentation | Preventive | |
Include time requirements in the project management standard. CC ID 17199 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain project management procedures. CC ID 17200 | Establish/Maintain Documentation | Preventive | |
Formally approve the initiation of each project phase. CC ID 00997 | Systems Design, Build, and Implementation | Detective | |
Establish, implement, and maintain integrated project plans. CC ID 01056 | Establish/Maintain Documentation | Preventive | |
Perform a risk assessment for each system development project. CC ID 01000 | Testing | Detective | |
Establish, implement, and maintain a project control program. CC ID 01612 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project test plan. CC ID 01001 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project team plan. CC ID 06533 | Establish/Maintain Documentation | Preventive | |
Identify accreditation tasks. CC ID 00999 | Systems Design, Build, and Implementation | Detective | |
Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project management training plan. CC ID 01002 | Establish/Maintain Documentation | Preventive | |
Conduct a post implementation review when the system design project ends. CC ID 01003 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 [{authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6 {authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6] | Technical Security | Preventive | |
Control user privileges. CC ID 11665 | Technical Security | Preventive | |
Review all user privileges, as necessary. CC ID 06784 | Technical Security | Preventive | |
Review each user's access capabilities when their role changes. CC ID 00524 [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5 {alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5] | Technical Security | Preventive | |
Establish, implement, and maintain a data loss prevention program. CC ID 13050 [Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1] | Establish/Maintain Documentation | Preventive | |
Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
Install security and protection software, as necessary. CC ID 00575 | Configuration | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
Scan for malicious code, as necessary. CC ID 11941 | Investigate | Detective | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical Security | Preventive | |
Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
Lock antivirus configurations. CC ID 10047 | Configuration | Preventive | |
Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 | Establish/Maintain Documentation | Preventive | |
Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356 [Determine whether the financial institution and service provider manage the underlying virtualization platform upon which cloud disaster recovery services are based to minimize the impact of attacks designed to cause data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:3] | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [{third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Establish/Maintain Documentation | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
Terminate supplier relationships, as necessary. CC ID 13489 | Business Processes | Corrective | |
Document and maintain supply chain processes. CC ID 08816 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Data governance expectations. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 8 Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1 {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1 Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2 Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2] | Business Processes | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2 {technology service provider}{recovery time objective}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Independent audit reports that support the RTOs; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4] | Establish/Maintain Documentation | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Awareness and oversight of service provider's use of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 7] | Establish/Maintain Documentation | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 {foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12] | Establish/Maintain Documentation | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 [Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4 Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4 Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Periodic reporting to an appropriate oversight committee; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [{TSP}{contract termination}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Right to terminate language (if the TSP defaults on SLAs and RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 4] | Establish/Maintain Documentation | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
Include personnel security requirements for third parties in third party contracts. CC ID 00790 | Testing | Detective | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Adherence to U.S. data confidentiality and security standards at a minimum by foreign-based service providers/subcontractors; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 6 Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1] | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 [Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2 Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2] | Testing | Detective | |
Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the Third Party Service Provider list. CC ID 17287 | Data and Information Management | Preventive | |
Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Establish/Maintain Documentation | Preventive | |
Include storage locations in the Third Party Service Provider list. CC ID 17184 | Establish/Maintain Documentation | Preventive | |
Include the processing location in the Third Party Service Provider list. CC ID 17183 | Establish/Maintain Documentation | Preventive | |
Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Establish/Maintain Documentation | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Establish/Maintain Documentation | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
Categorize all suppliers in the supply chain management program. CC ID 00792 | Establish/Maintain Documentation | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Testing | Detective | |
Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Establish/Maintain Documentation | Preventive | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Business Processes | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [{offshore data storage}{risk profile} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Evidence of management's evaluation of whether storage of data offshore (production or back-up) meets the financial institution's risk appetite and profile; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Establish/Maintain Documentation | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1 Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1 Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1 {take into account}Review and verify that the written BCP: Take(s) into account: Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 4 {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9 {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9 Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 {backup and recovery capability} Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Recovery capabilities and capacity of the service provider; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 1 {TSP} Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews). TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:11 {predetermined time frame} Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 2 {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2 {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2] | Business Processes | Detective | |
Review third parties' backup policies. CC ID 13043 [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1] | Systems Continuity | Detective | |
Assess third parties' abilities to provide services during due diligence. CC ID 12074 [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Cyber resilience and preparedness; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 2 Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Significant downtime that would threaten the financial institution's business resilience; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 3] | Business Processes | Detective | |
Assess third parties' use of subcontractors during due diligence. CC ID 12073 [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Service provider's oversight of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 4] | Business Processes | Detective | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Testing requirements with the TSP; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 7] | Establish/Maintain Documentation | Detective | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2 {Management Information System}Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Regular review of MIS reporting (e.g., adherence to RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 3] | Business Processes | Preventive | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Business Processes | Detective | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4] | Monitor and Evaluate Occurrences | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Business Processes | Preventive | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: TSP accountability for actions/inactions of subcontractors should the subcontractor fail to provide necessary service(s) for business recovery capabilities; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 5] | Establish/Maintain Documentation | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 [{take into account}Review and verify that the written BCP:Take(s) into account: Liquidity; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 6] | Operational and Systems Continuity | Preventive | |
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Preventive | |
Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Preventive | |
Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5] | Audits and risk management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 1] | Audits and risk management | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5 {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Business continuity test results; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 5 Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 8] | Operational and Systems Continuity | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Monitoring and measurement | Preventive | |
Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior regulatory reports of examination; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 2 Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 1 {work paper}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior examination workpapers; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 3] | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3] | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [Review management's response to audit recommendations noted since the last examination. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2] | Audits and risk management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 [Determine whether audit involvement in the business continuity program is effective, including: Audit coverage of the business continuity program; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1] | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Determine whether audit involvement in the business continuity program is effective, including: Documentation of audit findings TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4] | Audits and risk management | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and risk management | Preventive | |
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4] | Audits and risk management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 2 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4] | Audits and risk management | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3 Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5] | Audits and risk management | Detective | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment] | Audits and risk management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 3] | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7 {internal threat}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Internally identified threats; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 2] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [{external threat} Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 3] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a testing program. CC ID 00654 [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2 {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2] | Monitoring and measurement | Preventive | |
Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1 {technology service provider}Determine whether the continuity strategy addresses interdependent components, including: Third-party technology providers; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 3] | Operational and Systems Continuity | Preventive | |
Train personnel on the continuity plan. CC ID 00759 [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6 Verify that appropriate policies, standards, and processes address business continuity planning issues including: Employee training; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8 Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3 The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes] | Operational and Systems Continuity | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1] | Operational and Systems Continuity | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5 {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4] | Human Resources management | Preventive | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive |